Bug 626262 - bind doesn't include the dns root key
bind doesn't include the dns root key
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-22 21:03 EDT by Scott Schmit
Modified: 2013-04-30 19:46 EDT (History)
3 users (show)

See Also:
Fixed In Version: bind-9.7.3-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 626238
Environment:
Last Closed: 2011-02-26 23:50:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Scott Schmit 2010-08-22 21:03:49 EDT
+++ This bug was initially created as a clone of Bug #626238 +++

Description of problem:
The DNS root key has been signed since 15 July 2010. The bind configuration does not include the DNS root key for validation by default.

Version-Release number of selected component (if applicable):
bind-9.7.1-2.P2.fc13.i686

How reproducible:
100%

Steps to Reproduce:
1. Install bind
2. Look for the DNS root key in the configuration
3.
  
Actual results:
It's not there

Expected results:
It should be there, near the DLV keys (which are still useful until all the TLDs get signed)

Additional info:
https://data.iana.org/root-anchors/root-anchors.xml
Comment 1 Adam Tkac 2010-11-08 08:28:55 EST
Root key is included in the Fedora 14 (/etc/named.root.key). I'm not going to release update for F13 which will add the root key. If you think I should reconsider this decision, please reopen this bug. Closing.
Comment 2 Scott Schmit 2010-11-08 19:48:36 EST
What's your rationale?
Comment 3 Adam Tkac 2010-11-09 05:08:03 EST
(In reply to comment #2)
> What's your rationale?

Well, in my opinion it's not a good idea to modify default named.conf and include root DNSKEY there because it can cause serious problems (root domain and all it's signed subdomains will be validated instead of domains in DLV).

If I include the root DNSKEY in the bind package then, I think, vast majority of people will miss this change and they don't modify their named.conf.

Due those reasons I think root DNSKEY inclusion in Fedora 13 doesn't bring any benefit. However as I said in comment #1, if you think I should reconsider my decision then please reopen this bug and I will release an update.
Comment 4 Scott Schmit 2010-11-09 07:10:55 EST
I think you should reconsider.

You can still validate against both the root and the DLV. Looking at just the TLDs, 37 are in the root and not the DLV, another 9 are in both, and only arpa and kg are in the DLV and not in the root (as of root serial 2010110801). Even so, there are still people using the DLV until .com and .net get secured (ripe.net, etc), so the DLV has use yet.

Also, since the format of the root key at the IANA url is different from BIND's, getting the root key via a signed Fedora package is easier & more trustworthy for a less-savvy user, even if you don't choose to enable the root key by default (though if you can reliably do so without breaking configs, I think you should).
Comment 5 Fedora Update System 2011-02-18 10:30:33 EST
bind-9.7.3-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/bind-9.7.3-1.fc14
Comment 6 Fedora Update System 2011-02-18 10:30:56 EST
bind-9.7.3-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/bind-9.7.3-1.fc15
Comment 7 Fedora Update System 2011-02-18 10:31:18 EST
bind-9.7.3-1.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/bind-9.7.3-1.fc13
Comment 8 Fedora Update System 2011-02-18 20:22:20 EST
bind-9.7.3-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update bind'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/bind-9.7.3-1.fc14
Comment 9 Fedora Update System 2011-02-26 23:50:06 EST
bind-9.7.3-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2011-03-01 20:46:59 EST
bind-9.7.3-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2011-03-02 22:05:29 EST
bind-9.7.3-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.